It's a frightening flaw that could have allowed abusers to track their victims by tracking their phone.
Or spies to track their target.
A service called LocationSmart allows customers to track almost any mobile phone in the United States. And its demo site went further—allowing random people to track phones without the user's permission.
The company says it has fixed the flaw.
Data Breach Today reports:
"The error involved the website of LocationSmart, which tracks and sells the location of mobile phone users. The flaw could have been exploited to track any user of a mobile device registered via a major U.S. cellular carrier in real time with an accuracy that appears to vary from 100 yards to 1.5 miles."
Brian Krebs was contacted by a PhD candidate who says he accidentally ran into the flaw. Krebs reports:
"But according to Xiao, a PhD candidate at CMU’s Human-Computer Interaction Institute, this same service failed to perform basic checks to prevent anonymous and unauthorized queries. Translation: Anyone with a modicum of knowledge about how Web sites work could abuse the LocationSmart demo site to figure out how to conduct mobile number location lookups at will, all without ever having to supply a password or other credentials.
'I stumbled upon this almost by accident, and it wasn’t terribly hard to do,' Xiao said. 'This is something anyone could discover with minimal effort. And the gist of it is I can track most peoples’ cell phone without their consent.'"
This whole ball of wax started coming undone after Oregon Senator Ron Wyden wrote a letter to the FCC last week. Wyden is big on cyber related issues and privacy.
He asked the FCC to look into how a different company was allowing law enforcement to track phones of those who call people in prison and to do so without consent.
Well, it turns out that company, Securus, gets it data from LocationSmart.
This is more proof, we suppose, that data is the new oil. It's valuable, everyone wants it, and most of us never know who has it.